WyzGuys Tech Talk

Weekend Update

A quick Saturday digest of cybersecurity news articles from other sources.

DHS Sounds Alarm on New Russian Destructive Disk Wiper Attack Potential

CNN just reported on a Jan 23 Intelligence Bulletin from the US Department of Homeland Security (DHS) that warned state and local governments and critical infrastructure operators about the risk of Russia hitting the US with cyber attacks in retaliation for a possible US or NATO response to a potential Russian invasion of Ukraine.
The agency said Russia could employ anything from denial-of-service attacks to more destructive ones aimed at disrupting critical infrastructure.

Specifically, CISA just highlighted a warning by Microsoft about malware focused on deleting the Master Boot Record of Windows devices that was being used in attacks on Ukrainian organizations.
CISA also put out a set of recommendations – particularly if your organization is working with a Ukrainian business or has an office in Ukraine– that includes steps to reduce the likelihood of attack, detection of potential intrusions, incident response should an attack occur, and a focus on being cyber resilient.  CISA noted with concern: “The identification of destructive malware is particularly alarming given that similar malware has been deployed in the past—e.g., NotPetya and WannaCry ransomware—to cause significant, widespread damage to critical infrastructure”.

Remember the 2017 NotPetya attack? In a report published by Wired, a White House assessment pegged the total damages brought about by NotPetya to more than $10 billion. This was confirmed by former Homeland Security adviser Tom Bossert, who at the time of the attack was the most senior cybersecurity focused official in the US government.

More recently, “58% of all cyberattacks from nation-states have come from Russia,” said Tom Burt, Microsoft corporate vice president.

The downtime caused by NotPetya was horrendous. Think your cybersecurity insurance might cover the cost? Not so fast. Some insurance companies cited “act of war” exclusions to try to avoid covering the NotPetya damage. This is now in the courts, and this WSJ article is great ammo to add to a budget request.

Cybersecurity has moved from IT to a CEO and board-level business issue

You did not sign up for this, but today it is abundantly clear that as an IT pro you find yourself on the front line of 21-st century cyber war. Cybersecurity has moved from IT to a CEO and board-level business issue. I strongly suggest you have another look at your defense-in-depth, and make sure to:

  • Have weapons-grade backups
  • Religiously patch
  • Step your users through refresher security awareness training

Now that the new year has started and you need to comply with a raft of regulations, it’s a great time to schedule your users for a refresher awareness training module to keep them on their toes with security top of mind.

Blog post with links:

FBI Releases PIN on Iranian Cyber Group Emennet Pasargad

Original release date: January 27, 2022

The Federal Bureau of Investigation (FBI) has released a Private Industry Notification (PIN) that provides a historical overview of Iran-based cyber company Emennet Pasargad’s tactics, techniques, and procedures to enable readers to identify and defend against the group’s malicious cyber activities.

CISA encourages users and administrators to review FBI PIN: Context and Recommendations to Protect Against Malicious Activity by Iranian Cyber Group Emennet Pasargad and apply the recommended mitigations.

“PwnKit” security bug gets you root on most Linux distros – what to do

An elevation of privilege bug that could let a “mostly harmless” user give themselves a instant root shell

Patch now: A newly discovered critical Linux vulnerability probably affects your systems

Dubbed PwnKit, it’s been sitting in a user policy module used in Linux distros for over a decade and can be used by anyone to gain root privileges. Here’s what you can do to protect your systems.

North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign

Posted:  by Threat Intelligence Team
Last updated: 

This blog was authored by Ankur Saini and Hossein Jazi

Lazarus Group is one of the most sophisticated North Korean APTs that has been active since 2009. The group is responsible for many high profile attacks in the past and has gained worldwide attention. The Malwarebytes Threat Intelligence team is actively monitoring its activities and was able to spot a new campaign on Jan 18th 2022.

In this campaign, Lazarus conducted spear phishing attacks weaponized with malicious documents that use their known job opportunities theme. We identified two decoy documents masquerading as American global security and aerospace giant Lockheed Martin.

In this blog post, we provide technical analysis of this latest attack including a clever use of Windows Update to execute the malicious payload and GitHub as a command and control server. We have reported the rogue GitHub account for harmful content.  More…

Deadbolt ransomware hits more than 3,600 QNAP NAS devices

More than 3,600 network-attached storage (NAS) devices from Taiwanese company QNAP have been infected and had their data encrypted by a new strain of ransomware named Deadbolt.

Devices attacked by the Deadbolt gang are easy to recognize because the login screen is typically replaced with a ransom note, and local files are encrypted and renamed with a .deadbolt extension.

The threat actor behind the attacks is extorting not only the owners of the NAS devices but also the QNAP company itself.

According to a copy of the ransom note, device owners are told to pay 0.03 Bitcoin ($1,100) to receive a decryption key to unlock their files, while in an second note, the hackers demand 50 Bitcoin ($18.6 million) from QNAP to reveal details about the supposed zero-day vulnerability they have been using to attack its users.  More…

By Brian Krebs
In December 2021, researchers discovered a new ransomware-as-a-service named ALPHV (a.k.a. “BlackCat“), considered to be the first professional cybercrime group to create and use a ransomware strain written in the Rust programming language. In this post, we’ll explore some of the clues left behind by a developer who was reputedly hired to code the ransomware variant.

According to an analysis released this week by Varonis, ALPHV is actively recruiting operators from several ransomware organizations — including REvilBlackMatter and DarkSide — and is offering affiliates up to 90 percent of any ransom paid by a victim organization. more…

Coronavirus SMS scam offers home PCR testing devices – don’t fall for it!

Free home PCR devices would be technological marvels, and really useful, too. But there aren’t any…



About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.